https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159486#M45022 <P>Thanks for dropping in, lguinn beat you by 3 mins (-:</P> Fri, 10 Oct 2014 20:49:00 GMT kmasood 2014-10-10T20:49:00Z https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159483#M45019 <P>Hello,</P> <P>I have this query, which takes an ip address, returns FQDN and count columns:</P> <PRE><CODE>base search | `ip2fqdn(ip)` | stats count by FQDN </CODE></PRE> <P>However, there are some ip addresses that do not resolve to FQDNs, and those show up as "No Reverse Lookup". How do I get the ip addresses to appear for those entries in the above query? The result would look like:</P> <PRE> FQDN (or IP) Count <A href="https://community.splunk.com/www.domain.tld" target="test_blank">www.domain.tld</A> 100 10.1.2.3 75 10.1.2.4 70 example.domain.tld 66 </PRE> <P>I've looked at <CODE>coalesce</CODE> and hoping to avoid doing</P> <PRE><CODE>base search | `ip2fqdn(ip)` | stats count by FQDN,ip </CODE></PRE> <P><STRONG>Update</STRONG></P> <P>Using this query, I've been been able to get what I need:</P> <PRE><CODE>base search | `ip2fqdn(ip)` | eval myfield=FQDN." ".ip | rex mode=sed field=myfield "s/No Reverse Lookup//g" | eval myfield=replace(myfield,"(\w+) \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}","\1") | stats count by myfield </CODE></PRE> <P>Is there a more efficient way of doing this?</P> Fri, 10 Oct 2014 16:00:10 GMT https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159483#M45019 kmasood 2014-10-10T16:00:10Z https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159484#M45020 <P>This should do it - I don't know if it will be a lot faster, but it is a lot more simple.</P> <PRE><CODE>base search | `ip2fqdn(ip)` | eval myfield = if(FQDN=="No Reverse Lookup",ip,FQDN) | stats count by myfield </CODE></PRE> Fri, 10 Oct 2014 20:42:06 GMT https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159484#M45020 lguinn2 2014-10-10T20:42:06Z https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159485#M45021 <P>Why not just this</P> <PRE><CODE>base search | `ip2fqdn(ip)` | eval FQDN=if (FQDN="No Reverse Lookup", ip,FQDN) |stats count by FQDN </CODE></PRE> Fri, 10 Oct 2014 20:44:47 GMT https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159485#M45021 somesoni2 2014-10-10T20:44:47Z https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159486#M45022 <P>Thanks for dropping in, lguinn beat you by 3 mins (-:</P> Fri, 10 Oct 2014 20:49:00 GMT https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159486#M45022 kmasood 2014-10-10T20:49:00Z https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159487#M45023 <P>Thank you, just what I was looking for.</P> Fri, 10 Oct 2014 20:49:19 GMT https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159487#M45023 kmasood 2014-10-10T20:49:19Z https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159488#M45024 <P>Yeah. wish I could type faster like her <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 10 Oct 2014 20:53:16 GMT https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159488#M45024 somesoni2 2014-10-10T20:53:16Z https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159489#M45025 <P>Hello, is it possible to know what the search macro <CODE>ip2fqdn(ip)</CODE>does because I am very interesting to implement the same feature?</P> Wed, 15 Oct 2014 14:35:06 GMT https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159489#M45025 erwan_raulet 2014-10-15T14:35:06Z https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159490#M45026 <P>See the external fields lookup example (<A href="http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Addfieldsfromexternaldatasources#External_fields_lookup_example):">http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Addfieldsfromexternaldatasources#External_fields_lookup_example):</A> -- that ships with Splunk Enterprise</P> Wed, 15 Oct 2014 14:47:56 GMT https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159490#M45026 kmasood 2014-10-15T14:47:56Z https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159491#M45027 <P>Thanks for the link <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 15 Oct 2014 15:32:19 GMT https://community.splunk.com/t5/Splunk-Search/Stats-to-Display-Counts-of-FQDNs-and-IP-addresses-in-Same-Column/m-p/159491#M45027 erwan_raulet 2014-10-15T15:32:19Z